2 * SPDX-License-Identifier: BSD-2-Clause-FreeBSD
4 * Copyright (c) 2002 Jacques A. Vidrine <nectar@FreeBSD.org>
7 * Redistribution and use in source and binary forms, with or without
8 * modification, are permitted provided that the following conditions
10 * 1. Redistributions of source code must retain the above copyright
11 * notice, this list of conditions and the following disclaimer.
12 * 2. Redistributions in binary form must reproduce the above copyright
13 * notice, this list of conditions and the following disclaimer in the
14 * documentation and/or other materials provided with the distribution.
16 * THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND
17 * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
18 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
19 * ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
20 * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
21 * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
22 * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
23 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
24 * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
25 * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
28 #include <sys/cdefs.h>
29 __FBSDID("$FreeBSD$");
31 #include <sys/param.h>
42 #include <security/pam_appl.h>
43 #include <security/pam_modules.h>
44 #include <security/pam_mod_misc.h>
46 static const char superuser[] = "root";
48 static long get_su_principal(krb5_context, const char *, const char *,
49 char **, krb5_principal *);
50 static int auth_krb5(pam_handle_t *, krb5_context, const char *,
54 pam_sm_authenticate(pam_handle_t *pamh, int flags __unused,
55 int argc __unused, const char *argv[] __unused)
58 krb5_principal su_principal;
61 char *su_principal_name;
65 pamret = pam_get_user(pamh, &user, NULL);
66 if (pamret != PAM_SUCCESS)
68 PAM_LOG("Got user: %s", user);
69 pamret = pam_get_item(pamh, PAM_RUSER, &ruser);
70 if (pamret != PAM_SUCCESS)
72 PAM_LOG("Got ruser: %s", (const char *)ruser);
73 rv = krb5_init_context(&context);
75 const char *msg = krb5_get_error_message(context, rv);
76 PAM_LOG("krb5_init_context failed: %s", msg);
77 krb5_free_error_message(context, msg);
78 return (PAM_SERVICE_ERR);
80 rv = get_su_principal(context, user, ruser, &su_principal_name, &su_principal);
82 return (PAM_AUTH_ERR);
83 PAM_LOG("kuserok: %s -> %s", su_principal_name, user);
84 rv = krb5_kuserok(context, su_principal, user);
85 pamret = rv ? auth_krb5(pamh, context, su_principal_name, su_principal) : PAM_AUTH_ERR;
86 free(su_principal_name);
87 krb5_free_principal(context, su_principal);
88 krb5_free_context(context);
93 pam_sm_setcred(pam_handle_t *pamh __unused, int flags __unused,
94 int ac __unused, const char *av[] __unused)
100 /* Authenticate using Kerberos 5.
101 * pamh -- The PAM handle.
102 * context -- An initialized krb5_context.
103 * su_principal_name -- The target principal name, used only for password prompts.
104 * If NULL, the password prompts will not include a principal
106 * su_principal -- The target krb5_principal.
107 * Note that a valid keytab in the default location with a host entry
108 * must be available, and that the PAM application must have sufficient
109 * privileges to access it.
110 * Returns PAM_SUCCESS if authentication was successful, or an appropriate
111 * PAM error code if it was not.
114 auth_krb5(pam_handle_t *pamh, krb5_context context, const char *su_principal_name,
115 krb5_principal su_principal)
118 krb5_get_init_creds_opt *gic_opt;
119 krb5_verify_init_creds_opt vic_opt;
126 krb5_verify_init_creds_opt_init(&vic_opt);
127 if (su_principal_name != NULL)
128 (void)asprintf(&prompt, "Password for %s:", su_principal_name);
130 (void)asprintf(&prompt, "Password:");
132 return (PAM_BUF_ERR);
134 pamret = pam_get_authtok(pamh, PAM_AUTHTOK, &pass, prompt);
136 if (pamret != PAM_SUCCESS)
138 rv = krb5_get_init_creds_opt_alloc(context, &gic_opt);
140 const char *msg = krb5_get_error_message(context, rv);
141 PAM_LOG("krb5_get_init_creds_opt_alloc: %s", msg);
142 krb5_free_error_message(context, msg);
143 return (PAM_AUTH_ERR);
145 rv = krb5_get_init_creds_password(context, &creds, su_principal,
146 pass, NULL, NULL, 0, NULL, gic_opt);
147 krb5_get_init_creds_opt_free(context, gic_opt);
149 const char *msg = krb5_get_error_message(context, rv);
150 PAM_LOG("krb5_get_init_creds_password: %s", msg);
151 krb5_free_error_message(context, msg);
152 return (PAM_AUTH_ERR);
154 krb5_verify_init_creds_opt_set_ap_req_nofail(&vic_opt, 1);
155 rv = krb5_verify_init_creds(context, &creds, NULL, NULL, NULL,
157 krb5_free_cred_contents(context, &creds);
159 const char *msg = krb5_get_error_message(context, rv);
160 PAM_LOG("krb5_verify_init_creds: %s", msg);
161 krb5_free_error_message(context, msg);
162 return (PAM_AUTH_ERR);
164 return (PAM_SUCCESS);
167 /* Determine the target principal given the current user and the target user.
168 * context -- An initialized krb5_context.
169 * target_user -- The target username.
170 * current_user -- The current username.
171 * su_principal_name -- (out) The target principal name.
172 * su_principal -- (out) The target krb5_principal.
173 * When the target user is `root', the target principal will be a `root
174 * instance', e.g. `luser/root@REA.LM'. Otherwise, the target principal
175 * will simply be the current user's default principal name. Note that
176 * in any case, if KRB5CCNAME is set and a credentials cache exists, the
177 * principal name found there will be the `starting point', rather than
178 * the ruser parameter.
180 * Returns 0 for success, or a com_err error code on failure.
183 get_su_principal(krb5_context context, const char *target_user, const char *current_user,
184 char **su_principal_name, krb5_principal *su_principal)
186 krb5_principal default_principal;
188 char *principal_name, *ccname, *p;
192 *su_principal = NULL;
193 default_principal = NULL;
194 /* Unless KRB5CCNAME was explicitly set, we won't really be able
195 * to look at the credentials cache since krb5_cc_default will
203 p = getenv("KRB5CCNAME");
207 (void)asprintf(&ccname, "%s%lu", KRB5_DEFAULT_CCROOT, (unsigned long)ruid);
210 rv = krb5_cc_resolve(context, ccname, &ccache);
213 rv = krb5_cc_get_principal(context, ccache, &default_principal);
214 krb5_cc_close(context, ccache);
216 default_principal = NULL; /* just to be safe */
221 if (default_principal == NULL) {
222 rv = krb5_make_principal(context, &default_principal, NULL, current_user, NULL);
224 PAM_LOG("Could not determine default principal name.");
228 /* Now that we have some principal, if the target account is
229 * `root', then transform it into a `root' instance, e.g.
230 * `user@REA.LM' -> `user/root@REA.LM'.
232 rv = krb5_unparse_name(context, default_principal, &principal_name);
233 krb5_free_principal(context, default_principal);
235 const char *msg = krb5_get_error_message(context, rv);
236 PAM_LOG("krb5_unparse_name: %s", msg);
237 krb5_free_error_message(context, msg);
240 PAM_LOG("Default principal name: %s", principal_name);
241 if (strcmp(target_user, superuser) == 0) {
242 p = strrchr(principal_name, '@');
244 PAM_LOG("malformed principal name `%s'", principal_name);
245 free(principal_name);
249 *su_principal_name = NULL;
250 (void)asprintf(su_principal_name, "%s/%s@%s", principal_name, superuser, p);
251 free(principal_name);
253 *su_principal_name = principal_name;
255 if (*su_principal_name == NULL)
257 rv = krb5_parse_name(context, *su_principal_name, &default_principal);
259 const char *msg = krb5_get_error_message(context, rv);
260 PAM_LOG("krb5_parse_name `%s': %s", *su_principal_name, msg);
261 krb5_free_error_message(context, msg);
262 free(*su_principal_name);
265 PAM_LOG("Target principal name: %s", *su_principal_name);
266 *su_principal = default_principal;
270 PAM_MODULE_ENTRY("pam_ksu");